<?php
/***************************************************************************
 *   copyright : (C) 2009 Udrea Cristian
 *   site : http://code.google.com/p/testauction-php
 ***************************************************************************/

/***************************************************************************
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU Lesser General Public License as 
 *   published by the Free Software Foundation; either version 2 of the
 *   License, or (at your option) any later version. Although none of the
 *   code may be sold. If you have been sold this script, get a refund.
 ***************************************************************************/
include("include/session.php");
include("include/classes/class.AuctionHandler.php");
header('Content-Type: application/xml');
echo "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>";
?>
<response>
<?php
// Various kinds of error checking
$allowbid = 1;

// Test for address bar injection
if(!isset($_GET['id']) || !isset($_GET['key']))
	$allowbid = 0;
// Test for cookie theft
if(!$session->logged_in && !$database->isUserActive($session->username))
	$allowbid = 0;
// Test for injection
if($session->userid != $_GET['key'])
	$allowbid = 0;
// Test for invalid, closed or inactive auctions
$auction_info = $auctionDB->getAuctionData($_GET['id']);
if (count($auction_info) == 0 || $auction_info['closed'])
	$allowbid = 0;
if($auction_info['starts_timestamp'] > time())
	$allowbid = 2;
// The ohshi case when someone tries to outbid 
// himself O_o (or furiously presses the offer button like mad)
$lastoffer = $auctionDB->getAuctionLatestOffer($_GET['id']);
// Test for miliseconds left (last 2000 ms - should take care of 'edge-bids')
if($auction_info['time_left'] < 2)
	if($lastoffer['timestamp'] + ($auction['time_interval'] * 1000) >= time())
		$allowbid = 0;
if($lastoffer['username'] == $session->username)
	$allowbid = 3;
// Finally the auctions close at CLOSING_HOUR.
// Deny bidding after closing time.
$hour = date('H', time());
if(!($hour >= OPENING_HOUR && $hour < CLOSING_HOUR))
	$allowbid = 4;
?>
<allowbid><?php echo $allowbid; ?></allowbid>
<?php
// The request seems to be legit, try to bid
if($allowbid == 1) {
	$creditinfo = $auctionDB->getUserCreditInfo($session->username);
	if($creditinfo['credit_balance'] > 0) {
		$creditinfo['credit_balance'] -= 1;
?>
<nocredits>false</nocredits>
<?php
		if($creditinfo['offers_left'] > 0) {
			$creditinfo['offers_left'] -= 1;
		}
		else {
			$creditinfo['offers_left'] = BONUS_OFFER_COUNT;
			$creditinfo['give_bonus'] = 1;
		}
		
		$auctionDB->setUserCreditInfo($creditinfo);
		$auctionDB->addAuctionOffer($creditinfo['userkey'], $_GET['id']);
		execute_update('UPDATE ' . TBL_AUCTIONS . ' SET new_bid = ? WHERE auction_id = ?', array(1, $_GET['id']));
	}
	else {
?>
<nocredits>true</nocredits>
<?php
	}
}
else {
?>
<nocredits>dontcare</nocredits>
<?php 
}
?>
</response>
